MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 516235abea82c8dfbfe955d6d66610ba43dad5e30a6213027e5e22e37f67dacd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 516235abea82c8dfbfe955d6d66610ba43dad5e30a6213027e5e22e37f67dacd
SHA3-384 hash: 8af1aa6e2708211db5a8f390be6d5ffb10eb807337d836425419954cc7cc8f575fdad67d352638c02a9db41e3fcad155
SHA1 hash: defc6e3fcd9ce7f1d047681fa9d578eb42a23610
MD5 hash: 3c85f1a0156b0abfde3f937c97ae2d8d
humanhash: spring-south-summer-video
File name:USD 78001x40GP COC.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'299'968 bytes
First seen:2020-12-20 07:56:16 UTC
Last seen:2020-12-20 09:34:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 24576:aq7jhHSfvNThsdhLWbhpkTc6m0p9KTD9KT79KTv1QNg1zi5FHGHpTg:aWhCvXsqFpQcdqazig
Threatray 2'057 similar samples on MalwareBazaar
TLSH DD551239B545BF90D1BC463BC882805063F9ED155612D05FFEE432FEAEB27E84816A4B
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: tsteam.aero
Sending IP: 103.99.1.174
From: ''Vladislav Yun'' <vladislav.yun@tsteam.aero>
Subject: RE: RE; FOB Ningbo/Shanghai - Tashkent Tovarniy
Attachment: USD 78001x40GP COC.rar (contains "USD 78001x40GP COC.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
USD 78001x40GP COC.exe
Verdict:
Malicious activity
Analysis date:
2020-12-20 07:59:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f3e8c92c-a322-417b-94c2-4402ebc3c121

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/108587/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.480.27156.22170.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/566939
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 332553 Sample: USD 78001x40GP COC.exe Startdate: 20/12/2020 Architecture: WINDOWS Score: 100 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Found malware configuration 2->56 58 Multi AV Scanner detection for dropped file 2->58 60 10 other signatures 2->60 7 USD 78001x40GP COC.exe 7 2->7         started        11 CsGlckR.exe 2 2->11         started        13 CsGlckR.exe 1 2->13         started        process3 file4 32 C:\Users\user\AppData\Roaming\IqxEwcG.exe, PE32 7->32 dropped 34 C:\Users\user\...\IqxEwcG.exe:Zone.Identifier, ASCII 7->34 dropped 36 C:\Users\user\AppData\Local\...\tmpD591.tmp, XML 7->36 dropped 38 C:\Users\user\...\USD 78001x40GP COC.exe.log, ASCII 7->38 dropped 62 Writes to foreign memory regions 7->62 64 Allocates memory in foreign processes 7->64 66 Injects a PE file into a foreign processes 7->66 15 RegSvcs.exe 17 4 7->15         started        20 schtasks.exe 1 7->20         started        22 conhost.exe 11->22         started        24 conhost.exe 13->24         started        signatures5 process6 dnsIp7 40 akdogulojistik.com 94.199.200.89, 49752, 587 AEROTEK-ASTR Turkey 15->40 42 mail.akdogulojistik.com 15->42 44 3 other IPs or domains 15->44 28 C:\Users\user\AppData\Roaming\...\CsGlckR.exe, PE32 15->28 dropped 30 C:\Windows\System32\drivers\etc\hosts, ASCII 15->30 dropped 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->46 48 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->48 50 Tries to steal Mail credentials (via file access) 15->50 52 5 other signatures 15->52 26 conhost.exe 20->26         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/516235abea82c8dfbfe955d6d66610ba43dad5e30a6213027e5e22e37f67dacd/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-19 01:44:09 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kfrdlk7kqlen7p7jkxlnmzqqxjb5vvpdbjrbgat6lyrog73h3lgq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
19006e1934a36332207bb746cdfad53e5264682ed947d4f6c99debecefe12f99
AgentTesla
351b3942fbe2ec4a5fe8f92ce737337f4bd1f1d9872e230e8e99bf06e9b8e8fa
AgentTesla
52a8719e0795679e8336c841ddc5f6b0a74b5e423c4b71fe0db3ddbfbc3f7e7a
AgentTesla
69b99d16f072c6ab2687da255681f3f1c3a97746bfe516b206644a5056a99425
AgentTesla
8a21b943ea85a94fb89a4222be1b22222b71447cc16fe9b1ef58957029210a8f
AgentTesla
97c73eb27f164d01020de5531c96adb305bfdd8e6ec727bfaf65a2fa7b02638a
AgentTesla
c7c371104c985df2506b6f9b0e4133e61c96e45d9f96a9961369d52e9f9f972b
AgentTesla
c92c63658f161a639482f7e150303a4c6648f9186a8601fff6d14af694815895
AgentTesla
cbf383498c35c4850dec570d9bf576b8bf9b0228201d9f087b103bfa7f67f732
AgentTesla
d5a2e34a8816a75fe9d6cd9b9035040ea5777429dc7eeebc0ebb7f8a4d897495
AgentTesla
+ 2'047 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/201220-rdwhcvkzds/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Drops file in Drivers directory
Unpacked files
SH256 hash:
343ff0dfb867e88edb0a97a340f8f09ef446a5ff4a3793a3e7e0ccb44056c03e
MD5 hash:
09fb334f339b563aa8c98b263ad494f7
SHA1 hash:
00357b9c7084cd3c70c6d95c14811a9c16a3aa64
Link:
https://www.unpac.me/results/64f3bf2a-7609-4aeb-921f-b152b8f53677/
SH256 hash:
4c2e2ecc93f4fd8c74f7c294eb4c6b5d2ef3aba9b1eebcd9797dd2d9ab71c367
MD5 hash:
35635114fea5761438c14e677ac66c40
SHA1 hash:
76a3b0a64c6160eee5ecaa8c9d458f698cbf7a0d
Link:
https://www.unpac.me/results/64f3bf2a-7609-4aeb-921f-b152b8f53677/
SH256 hash:
3ca9cf478845d74c61a836a02908c7d26d5e0b2fb8d03f92bfe5ed4a8865527a
MD5 hash:
ccaf4c52861605afe12d4fb1f927ef32
SHA1 hash:
c8c52901e58187e7597c984fb893410e613d571b
Link:
https://www.unpac.me/results/64f3bf2a-7609-4aeb-921f-b152b8f53677/
SH256 hash:
73698764c7737943ac6b0bc92d1d193357e1c7aa0d6f2eec9248ac361d391086
MD5 hash:
5f9434fbab238334b6ff0840aca513e3
SHA1 hash:
f5f88710b5a01def9385a72f55b3341224d4fc87
Link:
https://www.unpac.me/results/64f3bf2a-7609-4aeb-921f-b152b8f53677/
SH256 hash:
516235abea82c8dfbfe955d6d66610ba43dad5e30a6213027e5e22e37f67dacd
MD5 hash:
3c85f1a0156b0abfde3f937c97ae2d8d
SHA1 hash:
defc6e3fcd9ce7f1d047681fa9d578eb42a23610
Link:
https://www.unpac.me/results/64f3bf2a-7609-4aeb-921f-b152b8f53677/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/516235abea82c8dfbfe955d6d66610ba43dad5e30a6213027e5e22e37f67dacd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar ab3807ab14d1fe81af9051fedbab4fc09bbcaf0632cfb886d33d5ea89dc4e7d0

AgentTesla

Executable exe 516235abea82c8dfbfe955d6d66610ba43dad5e30a6213027e5e22e37f67dacd

(this sample)

  
Dropped by
MD5 9cd761e7366d4801c1ff62fffd5df810
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/108587/
  
Dropped by
SHA256 ab3807ab14d1fe81af9051fedbab4fc09bbcaf0632cfb886d33d5ea89dc4e7d0

Comments